WAR10CK's Fr33w0rld

Guild of Technomancers Middle Earth C&Cnet Crypto Details

Overview of the cryptographic security of the Command & Control Network

Command & Control Network Technical Cryptographic Information >>

Acronyms in this document:
HSM = Hardware Security Module
SHA3 = Secure Hash Algorithm 3
TCO = Trusted Crypto Officer
KMF = Key Management Facility
ECC = Elliptical Curve Cryptography
SSL = Secure Socket Layer
PGP = Pretty Good Privacy
C&Cnet = Command & Control Network
RootSec = Root Security

The Command & Control Network uses NTRU 1248 Asymmetric Encryption. NTRU is a 3D Lattice Based Cryptosystem that is resistant to Shor’s Quantum Computing Algorithm. The two NTRU Algorithms in use are: NTRUEncrypt for actual data encryption and NTRUSign for data and message authentication.

Before it used Elliptical Curve Cryptography ECC 512 Keys and before that ElGamal 2048 Keys. But after an undisclosed incident the ElGamal Keys were revoked and replaced with the ECC Keys. Then after the Smaug and Five Armies Crisis the ECC Keys were revoked and replaced with the current NTRU Keys.

WolfSSL with NTRU implementation is the main protocol for the C&Cnet. NTRU will be used from now on.

The system contains 6 Network Keys and one Root Key. Separate Protocols apply for changing the Root Key as it is the key with the highest security level. The Network Keys are used for sending and receiving the encrypted traffic and the Root Key is used to sign the Network Keys.

The Network Keys are unique to each individual HQ. This is so that not all traffic is tied to a single key. The Root Key is used to sign all other Network Keys and is split into 7 fragments when it is to be changed. Any new Network Keys will not be allowed to access the C&Cnet until they are signed by the Root Key.

These keys are not known to anyone and are kept in tamper proof HSMs. No person ever sees them. That way they can never be leaked out. If the HSM is tampered with in anyway, the key inside will self-destruct.

The only way you can change the Network Keys is via the use of a briefcase sized HSM called The Encryptor. The security of this HSM is effectively as strong as the Nuclear Football with multiple biometric and other security checks required to start the key changing process.

This HSM can only generate Network Keys and are considered by the system to be Invalid until Signed by the Root Key. The Root Key is generated using a different HSM located in the C&Cnet RootSec Facility: Anduril Sword. Anduril Sword’s location is classified. (Pssst… It’s located in the Shire.)

Also take note of this number as it is the Root Passphrase in Base64 Encoding: 1235711131719232931314159265161803398874989141194123
2215530000577215609159655941235813213455271828182845
123456010101

The Root Passphrase is split into 7 fragments using Shamir’s Secret Sharing Scheme or the S4 Splitting Algorithm. These fragments are stored in a Secured HSM Smart Cards with Anti-Magic Tamper Proof Crypto Chips. The 7 fragments are retained by 7 individuals on Middle Earth. The names of these TCOs are classified. They must all be present at the Anduril Sword RootSec Facility and 5 must have their fragments ready to reconstuct the passphrase which is automatically entered into the HSM when each card is inserted into it.

They are only used in the RootSec Facility when the Root Key is being changed. During a Network Key Change the cards are used in the Root Passphrase HSM stored in the appropriate KMF to sign the new key.

Here are the Fragments:

Fragment 1 >>
8013261d5c5c3a54e469a97e58684c6066213d7a30ef53870a109
3ca780041f45d7b3bd49b553ef050ccb417d1d2ee257eb6eaaceb
08b7f556dd0dab32eadfb5bc148e50fc6c451acbd624ae90c4bb44
0802fa2ef774ae1c1cbe15b8f06408a0510d65cc1adb0fd46cb508
0fa4827f23bd016975b457a4e0eb9ac1455d020e8ad44d744f2d3
01e6bbeacac4db916054befbc4ab733eec0cce11dea538ce3e49c
756132839

Fragment 2 >>
802307fa93496c0323586652125edff232ad9d3ddf7b4b222f3a4e2
a923b46bb8fc10c6920b2cbf9d3013639d74c3707ee46ab94bc3e9
06c462768ced3f9273f8d4bca8046596dc668c11a30ba9ebc00346
43dae1df2dc2a1f8ae2e9301267b3912c2815a279f282d0d8997b2
4121d85f8fdcc178b3e2b5269b946223eb526b5ef5647953d8ece7
b06c0599a53500c353e91af4e9bf1bcd4474e807544c6b84ebf76d
2d0d

Fragment 3 >>
803990a6cb926b213139d64a457325b54d983b58f267bfe4bdefe
76285d047be698e9a258f1dd54ed7280be5546cfda8ff84bc4e3bb
a37ad21ada8d52005c09021f6d7091162f1ba0727c1e4d87adc6ad
a0c56da2c52612a907d4360428a8e43155f64c1b61fc40cd94ce96
46a32e460a7893d184ebd45a3e6ccaed397b6cdcba1f328184296
06d9b1557ea00a477940ee0104cb9bbcf05ae094593424762f2c0
5f49d6c6

Fragment 4 >>
804d80cc9682b2a731baf69326c035b1b585aba48c6b51f43a3046
28c9a795086d4fc0ff96e8ce876dfe5174b16884ceb051d48e2293
762713e6c98eedf5d66782a9f200b626754b839e6373b1473dc0d
bcde5ce113bf6a061e74d78fa4adfcd895dc753c41f7f81b072f493e
864268f0eddfff060fcdcfa279407964c7b763fc6caac5dc8caba7be4
de1af9c45c52e1f97859c0ef415ab19e8078be168ae4a1f03b9794f

Fragment 5 >>
8059015f70051808b009f6a432f89cc38bc2bec58f715c5ac0d934e
36e32b6df09c275eef7164d8996a8dfe66e903032821052aeed4c9
d07a38a165bc97f1bc32106f4b0d3dae91bc13da75e013dfe39f754
e4708171c2d55aa21dc9940fdcf3a6a1268546b5e5cf8fac42f29d25
c287b28cb9a61046ca71179930b374d1a54ed2c952e8288fa341ae
a323997131e70cfbd169a7e56eec2c68cb888b3c5eb46436b0646a
9

Fragment 6 >>
8064dd360268d485809d59c72ee4a93b5dab788a2d38a7eef44b9
fd4e4e42435defc04f9118292322a5beb45107fd46655e73073eb0
de28d1cbc5d625680a69ecfad97d3dc61c18ef970b7f25e4b6e5a4
ed0e7a4f83363d830f308f9ac03a7bcf05ef089d39f80c95f458f6baa
a78a3be13b7266954c74f72a8ac9ad34253cae9d4f4352c74b0071
2cde2b3a8243bf525e9e7a4a486475c26dbaa195716267f815753d
6c7

Fragment 7 >>
8079fde7b06d9ca327251f69ea666668a50726f7ac2ed2fe4660186
2f3659714c12acc77d4fade8455ef33e34d728417e72d9b2617a1c6
664dfcd0f8631b03248354d2bd82cc5b47cfe43ca1f3eea68ec424a8
bf7eaad4b74700338690bf9a2ddadbe8428077f3da5a459ee5eabb3
70a60e073b544257792ae6f17622771da2dfc5b7622e57a1f851f9d
46d208d0aa87bce474e0a1eda0e20d3132b7681a9b3ccc1b6c52e

SHA3-512 Hash Checksum USED TO VERIFY PASSPHRASE INTEGRITY >>
819d6881468589aef41a44ae51db58145d05c0a5892a53319bcb8
db6508cf8bacd24014a228bd2f5f7fbac0b81581635be0f655c7636
511feab7c238b4e04854

The PGP Words for SHA3-512 Hash Checksum TO BE RECITED BY THE TCOs WHEN VERIFYING THE PASSPHRASE INTERGRITY >>
minnow Ohio frighten inventive cubic leprosy nightbird performance upshot Bradbury crumpled performance drunken suspicious endorse belowground exceed almighty slowdown paperweight nightbird chambermaid dwelling company puppy revival optic potato drumbeat megaton Vulcan puberty spindle Capricorn absurd direction blockade Medusa standard visitor virus Wichita ribcage armistice minnow everyday backward conformist skydive atmosphere fracture fascinate inverse congregate drunken businessman Trojan processor snapshot consulting scenic tobacco deadbolt equation

Threshold is 5-7 which means five of the seven TCOs must be present to reconstruct the Root Passphrase.

Further more the Root Keys are encrypted with a KHAZAD-128 Symmetric Key which is split into 7 more fragments stored in 7 more Smart Cards also with a 5-7 threshold. Those are each retained by the TCOs as well but are used in a different HSM from the Root Passphrase HSM. These are used for both changing the Root Key and signing Network Keys.

Here are those fragments:

Fragment 1 >>
801c6965bb2d70e280c17b97149bd264269db4dd94ea7e6f0067
590f86f640cacea2c

Fragment 2 >>
8023c11b64726f32e682acec39c6d1fbdb87cbcdf854f98e3c87dfe
29dfa6300e841a

Fragment 3 >>
8035e94a8ef6c2a3322260abf6423f63c2a1972c60ab340d23fa2ae
fc38a184f10d4f

Fragment 4 >>
804218d84391063e8d160920bef3ea35dbe6ab25d456653dc1aa6
3a8eba62841c7497

Fragment 5 >>
8051f715e106762b754c8ff9de05a1da3f74f15f7b78d317e004b10
7f05983fe6c9fd

Fragment 6 >>
8065d0426faec3235b3a0c7e6c6de8aa28d68368a864b26560927
8ae605bd1d4ecfb5

Fragment 7 >>
807c6ebd036fb1ba2705b288087b4fbf43feced1db5ce7a17e2126
01bcdd91edc11d6

SHA3-512 Hash Checksum >>
9ab476f3d9c6457e499dd7c42f70aafafa6344cf6521d634796e868
7f6140354573c23cefd559fe5e8d25f65f38c9ef5f6278c3c87b7b87
b0448cd5af9cfbe01

PGP Words for SHA3-512 Hash Checksum >>
pupil politeness inverse vertigo sugar responsive crusade insurgent deckhand Ohio stopwatch reproduce cement hesitate reward whimsical wallet Galveston crumpled Saturday fracture Camelot stockman confidence jawbone headwaters necklace liberty village belowground acme equation eightball crossover blowtorch sardonic willow equipment quota travesty trauma sensation eyetooth glossary upset megaton quiver visitor village celebrate offload crossover Neptune processor select inferno adrift dictator spindle existence waffle Saturday skydive adviser

All keys stored in the smart cards can be changed at anytime.

Comments

The_WAR10CK

I'm sorry, but we no longer support this web browser. Please upgrade your browser or install Chrome or Firefox to enjoy the full functionality of this site.